2017 set records for healthcare IT security breaches. As we approach 2018, we look at some top security and privacy trends impacting healthcare delivery.
The Equifax breach may have commanded the most media attention, but 2017 was also a very busy year for health IT security and privacy.
Consider the following findings:
- The healthcare sector is on pace to exceed 2016’s rate of one healthcare security breach per day.
- The top 3 health data breaches impacted nearly 1.5 million individuals in 2017.
- A healthcare data breach costs, on average, $380 per record, more than 2.5 times the global average across all industries.
Whether you’re a small two person practice or a large multihospital system, staying on top of health IT security and privacy will only grow more challenging given the nature of the threat and size of the problem. It’s unfamiliar territory for a profession where treating patients, not protecting data, has been top the priority.
As we approach the new year, let’s highlight some key 2018 health IT security trends to help you better understand the risk and manage your exposure.
Let’s start at the source: data. Its value has never been higher, even as it continues to grow exponentially.
Ironically, the healthcare profession was slow to embrace digitization. Now it’s one of the “fastest growing segments of the digital universe – growing at 48% per year (compared to 40% per year for the overall digital universe).” One report estimated the volume of data will swell from 153 exabytes in 2013 to 2,314 exabytes by 2020.
But the growth of EHRs only increases your exposure. As the Healthcare Industry Cybersecurity Task Force (HCIC Task Force) stated in the final version of its report to Congress in June, “widespread EHR adoption accelerated digitization, resulting in increased attacks on healthcare providers, medical device companies and many other parts of the healthcare industry.”
And this demand for healthcare data will only increase with the advent of value based care, predictive analytics and AI.
Data breaches will continue to challenge the healthcare field. But as Health IT and Security Expert David Finn of CynergisTek stated: “It’s less about selling data and more about disruption.”
In fact, the size of breaches have declined, but their number has increased over all industries. Through very targeted phishing attacks and social engineering, bad actors have been able to gain access to network data, compromise security and hold healthcare providers hostage.
Unlike in the past, however, the value of the data (patients’ addresses, social security numbers, credit cards, health insurance information and health records) has declined because so much is out there on the dark web. The goal now is to hijack your data and get you to pay ransom for its return.
With fighting ransomware becoming a top priority, the HCIC Task Force concluded that healthcare professionals “will need to take a more holistic view toward mitigating risk across the entire infrastructure. This demands a systematic approach for understanding, modeling and reducing risk, and compromising at multiple points in the infrastructure used to deliver care.”
Providers need to make data governance a core component of their IT security strategy. As Finn reinforced: “Think of data as a flow – how you get it, who uses it once it’s inside, who can access it at one point and what role do they have to be in.”
You also need to appreciate that health IT security is getting more specialized. Even though cardiologists and dermatologists both have MD after their name, you wouldn’t turn to the dermatologist for chest pain. Similarly, your IT team must possess the right skills for different security requirements.
They’re pervasive, and their value can be measured in expedited workflows, improved inventory management and better employee tracking. It’s estimated that US hospitals currently average 10 to 15 connected devices per bed.
Estimates vary wildly, but one report says that the global Internet of Things healthcare market is projected to grow from $32.4 billion in 2015 to $163.2 billion by 2020.
As IoT and medical devices like insulin pumps and pacemakers become more interconnected with computers and networks, they represent significant security risks for patients and providers alike.
As the HCIC Taskforce pointed out, the “attack surface” of the health information system expands when interconnected devices, such as mobile devices, medical devices and applications, are permitted to connect to EHRs.
IoT botnets pose a new set of security challenges. An IoT botnet is a group of hacked computers, smart appliances and Internet-connected devices that have been co-opted for illegal purposes. Connected smart devices can be infected with malware and controlled remotely. Anything, including hospitals security cameras, can be used as a botnet to initiate a denial of service attack and shut down the network.
According to a HIMSS Analytics Survey, over 84% of healthcare organizations are already using cloud technology. The migration from on-premise-based storage to the cloud or hybrid model continues to gain market acceptance, and data needs are demanding it.
The global adoption for cloud services in healthcare could jump from $3.73 billion in 2015 to nearly $9.5 billion by 2020.
The growing adoption of the cloud for data storage, analytics and application development serve as security threats for EHRs.
But here’s the key for those inclined to stick with an on-premise-based solution: as Finn explains, “The cloud is not inherently insecure, but it’s a different kind of security. Make sure there is redundancy, and your security is in place before you upload the data, otherwise it’s too late; you’ve already moved your data to the cloud.”
Increasingly, patients see themselves as healthcare consumers. They want technology like patient care portals that provide immediate results, direct access to their doctors and the ability to make online appointments.
From a security perspective, this trend will lead to an expanded use of mobile devices to share and access patient records. Each new device that’s introduced is another potential risk for a security breach and service attack. In fact, it’s the seemingly harmless of nature of mobile devices and wearables that makes them such a potential threat.
Related to mobile devices is the exploding demand for wearable devices like Fitbits. It’s projected that worldwide revenues of wearable medical devices will jump from $2.8 billion in 2014 to $8.3 billion in 2019.
The line is blurring between consumer health wearables and medical devices. Security risks and privacy concerns arise when insecure data is transferred over networks and when third parties store the information on their databases.
These trends, though by no means exhaustive, pose challenges to health IT security and patient privacy. At the same time, they represent tremendous opportunities to treat healthcare security more holistically. The end result will be better ways to manage data in our efforts to improve patient outcomes and lower healthcare costs.
David Finn provides some excellent advice: “We shouldn’t be afraid of these technologies, but we have to be prepared for them and do it right. We’ve gotten to this point by throwing in technology and fixing the results after the fact. And that simply won’t work in this hyperconnected age. You have to get the privacy and security piece right going in.”